1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_ 6 #define CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_ 7 8 #include <map> 9 #include <string> 10 #include <vector> 11 12 #include "base/basictypes.h" 13 #include "base/memory/ref_counted.h" 14 #include "base/memory/scoped_ptr.h" 15 #include "base/memory/weak_ptr.h" 16 #include "chromeos/chromeos_export.h" 17 #include "chromeos/network/onc/onc_certificate_importer.h" 18 #include "components/onc/onc_constants.h" 19 20 namespace base { 21 class DictionaryValue; 22 class ListValue; 23 class SequencedTaskRunner; 24 class SingleThreadTaskRunner; 25 } 26 27 namespace net { 28 class NSSCertDatabase; 29 class X509Certificate; 30 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; 31 } 32 33 namespace chromeos { 34 namespace onc { 35 36 // This class handles certificate imports from ONC (both policy and user 37 // imports) into a certificate store. The GUID of Client certificates is stored 38 // together with the certificate as Nickname. In contrast, Server and CA 39 // certificates are identified by their PEM and not by GUID. 40 // TODO(pneubeck): Replace Nickname by PEM for Client 41 // certificates. http://crbug.com/252119 42 class CHROMEOS_EXPORT CertificateImporterImpl : public CertificateImporter { 43 public: 44 // |io_task_runner| will be used for NSSCertDatabase accesses. 45 CertificateImporterImpl( 46 const scoped_refptr<base::SequencedTaskRunner>& io_task_runner, 47 net::NSSCertDatabase* target_nssdb_); 48 virtual ~CertificateImporterImpl(); 49 50 // CertificateImporter overrides 51 virtual void ImportCertificates(const base::ListValue& certificates, 52 ::onc::ONCSource source, 53 const DoneCallback& done_callback) OVERRIDE; 54 55 private: 56 void RunDoneCallback(const CertificateImporter::DoneCallback& callback, 57 bool success, 58 const net::CertificateList& onc_trusted_certificates); 59 60 // This is the synchronous implementation of ImportCertificates. It is 61 // executed on the given |io_task_runner_|. 62 static void ParseAndStoreCertificates(::onc::ONCSource source, 63 const DoneCallback& done_callback, 64 base::ListValue* certificates, 65 net::NSSCertDatabase* nssdb); 66 67 // Lists the certificates that have the string |label| as their certificate 68 // nickname (exact match). 69 static void ListCertsWithNickname(const std::string& label, 70 net::CertificateList* result, 71 net::NSSCertDatabase* target_nssdb); 72 73 // Deletes any certificate that has the string |label| as its nickname (exact 74 // match). 75 static bool DeleteCertAndKeyByNickname(const std::string& label, 76 net::NSSCertDatabase* target_nssdb); 77 78 // Parses and stores/removes |certificate| in/from the certificate 79 // store. Returns true if the operation succeeded. 80 static bool ParseAndStoreCertificate( 81 bool allow_trust_imports, 82 const base::DictionaryValue& certificate, 83 net::NSSCertDatabase* nssdb, 84 net::CertificateList* onc_trusted_certificates); 85 86 // Imports the Server or CA certificate |certificate|. Web trust is only 87 // applied if the certificate requests the TrustBits attribute "Web" and if 88 // the |allow_trust_imports| permission is granted, otherwise the attribute is 89 // ignored. 90 static bool ParseServerOrCaCertificate( 91 bool allow_trust_imports, 92 const std::string& cert_type, 93 const std::string& guid, 94 const base::DictionaryValue& certificate, 95 net::NSSCertDatabase* nssdb, 96 net::CertificateList* onc_trusted_certificates); 97 98 static bool ParseClientCertificate(const std::string& guid, 99 const base::DictionaryValue& certificate, 100 net::NSSCertDatabase* nssdb); 101 102 // The task runner to use for NSSCertDatabase accesses. 103 scoped_refptr<base::SequencedTaskRunner> io_task_runner_; 104 105 // The certificate database to which certificates are imported. 106 net::NSSCertDatabase* target_nssdb_; 107 108 base::WeakPtrFactory<CertificateImporterImpl> weak_factory_; 109 110 DISALLOW_COPY_AND_ASSIGN(CertificateImporterImpl); 111 }; 112 113 } // namespace onc 114 } // namespace chromeos 115 116 #endif // CHROMEOS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_ 117